[18.0] dms: Broken access rules

[LorenzoC0]

Module

dms

Describe the bug

The write, unlink and create access permissions defined in the dms groups are not working as intended. Every operation is allowed regardless of the permissions the user has at that time.

To Reproduce

Affected versions:

• 18.0
• 16.0 - Not affected

Steps to reproduce the behavior:

1. Create a new access group with "Create access" and "Unlink access" active. Leave "Write access" unchecked.
2. Make sure the user you're on is included in the access group
3. Setup a storage with a root folder.
4. Assign the newly created group to the root folder just created.
5. Upload a file in the folder.
6. Open Form view of the file.
7. Create a new Tag and add it to the file
8. Save.

Expected behavior
The expected behavior after these steps is that the user should not be able to save the file since it does not have "Write access" as a permission.

[LorenzoC0]

TestDMSOCA.mp4

Here's a video of the issue on the latest Runboat

[eLBati]

@LorenzoC0 trying to fix with #435

[eLBati]

@kobros-tech @victoralmau any opinion about this? Thanks!

[kobros-tech]

@kobros-tech @victoralmau any opinion about this? Thanks!

Can you try something else rather than tag or category?

like update the name of the root folder.

[LorenzoC0]

TestDMSOCA2.mp4

@kobros-tech Yes, here's a video editing the root folder, I hope it's not compressed too hard.

As you can see I cannot edit the name of the folder, but the error indicates a missing permission with the dms access group records. Then I tried to directly delete the folder on the kanban view and it successfully does so without Unlink access in the group of the user

[victoralmau]

IMO this has already been fixed #436 (comment)